[FFmpeg-cvslog] avformat/tls_openssl: use SSL_CTX_set_min_proto_version

[Marvin Scholz]

ffmpeg | branch: master | Marvin Scholz <epirat07 at gmail.com> | Wed Jun 25 21:55:41 2025 +0200| [019ca5f01370942ca638f76c16cb4e35b37c7e80] | committer: Marvin Scholz

avformat/tls_openssl: use SSL_CTX_set_min_proto_version

Using SSL_CTX_set_options to disallow specific versions is
discouraged by the documentation, which recommends to use
SSL_CTX_set_min_proto_version instead.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=019ca5f01370942ca638f76c16cb4e35b37c7e80
---

 libavformat/tls_openssl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 3724de7283..a0fa3285d5 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -899,7 +899,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
         ret = AVERROR(EIO);
         goto fail;
     }
-    SSL_CTX_set_options(p->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+    if (!SSL_CTX_set_min_proto_version(p->ctx, TLS1_VERSION)) {
+        av_log(h, AV_LOG_ERROR, "Failed to set minimum TLS version to TLSv1\n");
+        ret = AVERROR_EXTERNAL;
+        goto fail;
+    }
     ret = openssl_init_ca_key_cert(h);
     if (ret < 0) goto fail;
     // Note, this doesn't check that the peer certificate actually matches